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DETAILED ACTION 

1. This is in reply to amendment, filed on January 31,2007. Claim 14 is amended. 

2. There are five independent claims namely 1, 13-14, 22-23. 

3. Applicant's representative, Darcell Walker (Registration No. 34,945) and 
Examiner discussed the limitation recited in the indepenent claims. It is found 
that the limitation recited in the respective independent claims, though 
produces a useful and concrete result, the recitation of the claims does not 
clearly establish a statuary category of the invention because it does not 
produce a tangible result. Furthermore the parties discussed, how the 
indepenent claims should be amended to make the claims statuary. Accordingly, 
both parties (Examiner and applicant's representative) agreed that if the 
limitation recited in the depenent claims 3,15 and 25 are incorporated to the 
respective independent claims, the independent claims would not only results 
in practical application producing a concrete and useful result, but also 
produces a tangible result to form the basis of statutory subject matter under 35 
U.S.C. 101. (MPEP § 2106 IV). Accordingly, the following Examiner's amendment 
is done. Examiner suggested that further search, consideration and approval 
from the supervisor is required before determining whether or not the 
application is allowable. 

EXAMINER'S AMENDMENT 

An examiner's amendment to the record appears below. Should the 
. changes and/ or additions be unacceptable to applicant, an amendment may be filed as 
provided by 37 CFR 1.312. To ensure consideration of such.an amendment, it MUST be 
submitted no later than the payment of the issue fee. 
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Authorization for this examiner's amendment was given in a telephone interview 

i. 

with Darcell Walker (Registration No. 34,945) on 04/ 12/2007. 

The application has been amended as follows: 
IN THE SPECIFICATION 

On page 13, delete the paragraph beginning on line 19 and insert the paragraph below 
in place thereof: 

It is important to note that while the present invention has been 
described in the context of a fully functioning data processing system, 
those skilled in the art will appreciate that the processes of the present 
invention are capable of being distributed in the form of instructions in a 
computer readable medium and a variety of other forms, regardless of 
the particular type of medium used to carry out the distribution. 
Examples of computer readable media include media such as EPROM, 
ROM, tape, paper, floppy disc, hard disk drive, RAM, and CD-ROMs and 
transmission-type of media. 

IN THE CLAIMS 

1 . (Currently Amended) A method for controlling access to a computing system 
resource, being accessed through a symbolic link file, with an externally stored resource 
comprising the steps of: 

determining a system resource named in the symbolic link through which an 
access attempt is made; 

searching a protected objects database for entries protecting said system 
resource and generating a list of said entries; and 

generating an authorization decision for the access attempt based on security 
policies that govern all entries in the protected objects database that protect the system 
resource, the authorization decision being generated by retrieving a current entry from 
said generated database list; calling an access decision component of the externally 
stored resource to obtain an access decision for the access attempt based on the 
security policy that governs the current entry in the generated database list; 
determining whether the access decision component granted access; if the decision 
component granted access, determining whether more entries are in this database list; 
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and updating a current entry in said database list when more entries are in the list and 
returning to said current entry retrieving step, 

3. (Canceled) 

4. (Currently Amended) The method as described in claim 1 3 further comprising the 
step of denying the access attempt when the decision component denies access based 
on the security policy for the current database entry. 

5. (Currently Amended) The method as described in claim 1 3 further comprising the 
step of allowing the access attempt if no more entries are in the database list. 

13. (Currently Amended) A method for controlling access to a computing system device 
being accessed through symbolic link, said access control being implemented through 
an externally stored resource and comprising the steps of: 

monitoring the computing system for activities related to creating and accessing 
symbolic links that- link to system resources; 

generating an authorization decision governing a symbolic link creation attempt 
or a symbolic link access attempt based on security policies that govern all entries in 
the protected objects database that protect the system resource, the authorization 
decision being generated by retrieving a current entry from said generated database list; 
calling an access decision component of the externally stored resource to obtain an 
access decision for the access attempt based on the security policy that governs the 
current entry in the generated database list: determining whether the access decision 
component granted access: if the decision component granted access, determining 
whether more entries are in this database list: and updating a current entry in said 
database list when more entries are in the list and returning to said current entry 
retrieving step : 

restricting the creation of symbolic link files based on the rules defined in the 
externally stored resource; and 

restricting accesses to system resources that are linked to and accessed by a 
symbolic link. 
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14. (Currently amended) A computer program product stored on a computer readable 
storage medium for controlling access to a computing system resource, being accessed 
through a symbolic link file, with an externally stored resource comprising: 

instructions for determining a system resource named in the symbolic link through 
which the access attempt is made; 

instructions for searching a protected objects database for entries protecting 
said system resources and generating a list of said entries; and 

instructions for generating an authorization decision for the access attempt based 
on the security policies that govern all entries in the database protecting the system 
resource, the authorization decision being generated by instructions retrieving a 
current entry from said generated database list; instructions calling an access 
decision component of the externally stored resource to obtain an access decision 
for the access attempt based on the security policy that governs the current entry in 
the generated database list; instructions determining whether the access decision 
component granted access; if the decision component granted access, instructions 
determining whether more entries are in this database list; and instructions 
updating a current entry in said database list when more entries are in the list and 
returning to said current entry retrieving step. 

15. (Canceled) 

16. (Currently Amended) The computer program product as described in claim .14 45 
further comprising instructions for denying the access attempt when the decision 
component denies access based on the security policy for the current database entry. 



17. (Currently Amended) The computer program product as described in claim 14 45 
further comprising instructions for allowing the access attempt if no more entries in the 
database list. 
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22. (Canceled) 

23. (Currently Amended) A method for restricting the creation of a protected symbolic 
link that names a system resource comprising the steps of: 

determining a system resource named in a proposed symbolic link; 

searching a protected objects database for entries protecting said system 
resource named in the proposed symbolic link; 

generating a list of file entries that contain the system resource named in a 
proposed symbolic link; and 

generating an authorization decision for the access attempt based on security 
policies that govern all entries in the protected objects database that protect the system 
resource, the authorization decision being generated by retrieving a current entry from 
said generated database list; calling a creation decision component of the externally 
stored resource to obtain a decision for the symbolic link creation attempt based on the 
security policy that governs the current entry in the generated database list; 
determining whether the creation decision component allows creation of a symbolic 
link; if the decision component allowed creation, determining whether more entries are 
in this database list; updating a current entry in said database list when more entries 
are in the list and returning to said current entry retrieving step. 

25. (Canceled) 

26. (Currently Amended)) The method as described in claim 23 25 further comprising 
the step of denying the creation attempt when the decision component denies the 
creation attempt based on the security policies that govern all entries in the database 
protecting the system resource. 

27. (Currently Amended) The method as described in claim 23 Q£ further comprising 
the step of allowing the symbolic link creation attempt if no more entries in the 
database list. 
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Allowable Subject Matter 

As the result of Examiner's amendment, 

• Dependent claim 3, 15 and 25 are canceled and are incorporated into the 
respective independent claims . 

• Independent claim 22 are also canceled. 

Thus claims 1-2. 4-14. 16-21. 23-24 and 26-28 remain in the application. 

4. Claims 1-2. 4-14. 16-21. 23-24 and 26-28 are allowed. 

5. The following is an examiner's statement of reasons for allowance: 

6. Referring to the independent claims the art on the record, namely Tivoli, 
discloses each and every limitation of the claims. 

For instance, referring to the pervious independent claims 1. 14 and 23, 

Tivoli discloses a method for controlling access to a computing system 
resource, being accessed through a symbolic link file, with an externally stored 
resource [Page 1, paragraph 3 and 4; page 19, reference "File System Aliases"] 
comprising the steps of: 

• Determining a system resource named in the symbolic link through 

which the access attempt is made; [Page 19, reference, "File System 
Aliases"] ("the system resource" is the "target resource" or "the 
underlying resources" pointed by the symbolic link as explained on page 
9, 1 st paragraph and page 10 of the submitted disclosure by the 
applicant. When a system resource or the target resource named in the 
symbolic link or pointed by the symbolic link is accessed or searched, 
access to the target resource or the system resource will be determined 
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based on the authorization policy attached to the symbolic link through 
which the access attempt is made as explained on Page 19, reference, 
"File System Aliases" up to page 22, 2 nd paragraph] 

• Searching a protected objects database for entries protecting said system 
resource and generating a list of said entries; [Page 9, paragraph 4, 
reference "Protected Object Policies"; page 19, reference "File System 
Aliases" up to page 22 second paragraph] (As explained under the title 
"Protected Object Policies", on page 9, objects which are protected are 
stored in the protected objects database and access is granted based on 
the authorization police attached to these objects. Before access is 
granted the protected database is searched and the governing 
authorization policy is determined based on the authorization policy 
attached or associated to these symbolic links which are pointing to the 
target resource as explained on page 19, last paragraph up to page 22 
second paragraph). 

• Generating an authorization decision for the access attempt based on 
security policies that govern all entries in the database protecting the 
system resource. [Page 9, paragraph 4, reference "Protected Object 
Policies"; page 19, reference "File System Aliases" up to page 22 second 
paragraph] (As explained under the title "Protected Object Policies", on 
page 9, objects which are protected are stored in the protected objects 
database and access is granted based on the authorization police 
attached to these objects. When these database is searched the 
governing authorization policy is determined based on the authorization 
policy attached or associated to these symbolic links which are pointing 
to the target resource. The authorization decision for the access attempts 
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is made after the security authorization policies which are attached to all 
entities or all symbolic links which are pointing to the target resources 
are checked or examined. The decision will be made accordingly after all 
entities or symbolic links are examined as explained on page 19, 
reference "File System Aliases" up to page 22 second paragraph) 

Referring to the pervious independent claim 13 Tivoli discloses a 

method for controlling access to a computing system device being accessed 
through symbolic link, said access control being implemented through an 
externally stored resource [Page 1, paragraph 3 and 4; page 9, reference "File 
System Aliases"] comprising the steps of: 

• Monitoring the computing system for activities related to creating and 
accessing symbolic links that link to system resources; [Page 19, reference "File 
System Aliases"- page 22 second paragraph; page 23, reference "Trusted 
Computing Base Resources"; page 52, reference "TCB Monitoring"] 

• Restricting the creation of symbolic link files based on the rules defined 
in the externally stored resource/ authorization policy; [Page 1, paragraph 3 and 
4;Page 15-page 17; page 9 paragraph 4; page 19, reference "File System Aliases" 
-page 22 second paragraph] 

• Restricting accesses to system resources that are linked to and accessed 
by a symbolic link, [page 19, reference "File System Aliases" -page 22 second 
paragraph] 

Referring to the pervious independent claim 22 Tivoli discloses a 

computer connectable to a distributed computing system, which included 
symbolic links pointing to system resources and comprising: 
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• A processor; [Page 53, table "30", reference "Monitor-threads, 
description"] 

• A native operating system; [page 2, figure 1, ref. "Native OS services"] 

• Application programs; [Page 2, figure 1, ref. "PDOS"; page 74, last 
paragraph- page 75, first paragraph] (PDOS is an application program that is 
installed on each machine that is needed to be protected as explained on page 2, 
1 st paragraph, last line.] 

• An externally stored authorization program overlaying said native 
operating system and augmenting the standard security controls of said 
native operating system; [Page 1, 3 rd paragraph, under the title 
"understanding PDOS"] 

• A protected objects database within said external authorization program 
containing as entries protected symbolic link files and system resources 
pointed to by these protected symbolic links such that the protection of 
the symbolic link is attached to said system resources; [Page 1, 3 rd and 
4* paragraph; page 2, reference "PDOS Databases"; page 9, reference 
"Protected Object Policies"; page 19, reference "File System Aliases" up to 
page 22 second paragraph] 

• A decision component with said authorization program for controlling 
access to system resources being accessed through symbolic links; and a 
decision component with said authorization program for controlling the 
creation of symbolic links through which system resources are 
accessed. [Page 2, reference "PDOS DataBases" - page 3, 1 st paragraph; 
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Page 9, reference "Protected Object Policies"; page 19, last paragraph- 
page 22 second paragraph] 

• However, Applicants traversed the examiner's first office action and 
argued that Tivoli is a division of IBM, which is the same assignee of the present 
application. Applicant further argued that the cited reference merely documents 
the inventors' own invention. Further, applicant indicated that the reference 
only displays a copyright notice of 2000 and this fact does not indicate the exact 
date of the publication. In addition, applicant said that the present invention 
was submitted for internal review and preparation of the patent application prior 
to these release dates. 

• Examiner on August 17,2005, requested (Requirement under Rule 
105) the applicant so that the applicant would submit the publication date 
of the reference. 

Finally applicant confirmed that the record of the Assignee show a date of 
conception of July 18, 2000. Applicant further indicated that the internal 
approval process for IBM and the process of preparation and filing of the 
application immediately followed. 

For the above reason, the "Tivoli" reference used as a prior art which had a 
copyright date of November 7, 2000 is withdrawn as the applicant indicated that 
the conception date of the application is on July 18, 2000 which is before 
the reference date. (November 7, 2000). 

Furthermore, the specification and the respective independent claims are further 
amended so that, the independent claims would not only results in practical 
application producing a concrete and useful result, but also produces a 
tangible result to form the basis of statutory subject matter under 35 
U.S.C. 101. 
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None of the prior art of record taken singularly of in combination teaches or 
suggests a method for controlling access to a computing system resources, being 
accessed through a symbolic link files with an externally stored resource 
comprising the steps/ limitations recited in the respective amended independent 
claims 1. 13-14 and 23 . For this reason, independent claims 1. 13-14 and 23 
are allowed. 

7. The dependent claims which are dependent on the above independent claims 
1. 13-14 and 23 being further limiting to the independent claim, definite and 
enabled by the specification are also allowed. 



Any comments considered necessary by applicant must be submitted no later 
than the payment of the issue fee and, to avoid processing delays, should 
preferably accompany the issue fee. Such submission should be clearly labeled . 
"Comments on Statement of Reasons for Allowance." 



Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Samson B Lemma whose telephone number is 
571-272-3806. The examiner can normally be reached on Monday-Friday (8:00 
am— 4: 30 pm). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, BARRON JR GILBERTO can be reached on 571-272-3799. The fax 
phone number for the organization where this application or proceeding is 
assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
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Status information for unpublished applications is available through Private 
PAIR only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll- 
free). 
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